Jamf Protect Custom Analytics

user-hBorjSMYEA
New Contributor

I'm a new customer of Jamf Protect and have to keep my macs secure according to PCI compliance as well as CIS 20 and starting to move towards ISO 27001.
Does anyone have any good custom analytics that they've built for meeting compliance and best practices needs that didn't come prebuilt?

3 REPLIES 3

Kelli_Conlin
New Contributor

Here are some of the custom analytics I have helped to build!

  1. Command Line Account Creation
    Sensor Type: GPProcessEvent
    $event.type == 1 AND $event.process.name == "/usr/bin/dscl" AND $event.process.commandLine CONTAINS " -create "

  2. Command Line Activity (Warning: This is noisy!!)
    Sensor Type: GPProcessEvent
    $event.type == 1 AND $event.process.commandLine LIKE "*"

  3. Curl Events Sensor Type: GPProcessEvent
    $event.type == 1 AND $event.process.signingInfo.appid == "com.apple.curl"

  4. DNSModification via hosts file
    Sensor Type: GPFSEvent
    $event.isModified == 1 AND $event.path ==[cd] "/private/etc/hosts"

  5. Launch Daemon Deleted
    Sensor Type: GPFSEvent
    $event.type == 1 AND $event.path MATCHES[cd] "(:?/System)?/Library/LaunchDaemons/.*.plist"

  6. Launchctl Event
    Sensor Type: GPProcessEvent
    $event.type == 1 AND $event.process.path == "/bin/launchctl"

  7. Monitor Root User Creation
    Sensor Type: GPFSEvent
    $event.path MATCHES[cd] "/etc/passwd" AND (($event.isNewFile == 1 OR $event.isModified == 1)) AND FUNCTION($event.file, "newDelimitedEntries:comments:" , ".newlines", "#").@count > 0 AND FUNCTION($event.file, "newDelimitedEntries:comments:" , ".newlines", "#")[0] BEGINSWITH "root:"

  8. Screen Sharing Activity
    Sensor Type: GPProcessEvent
    $event.type == 1 AND $event.process.name == "screensharingd"

  9. Threat Prevention Quarantined
    Sensor Type: GPFSEvent
    $event.isNewFile == 1 AND $event.path MATCHES [c] "/Library/Application Support/JamfProtect/Quarantine/./."

  10. Users Created
    Sensor Type: GPFSEvent
    $event.isNewDirectory == True AND $event.path.stringByDeletingLastPathComponent == "/Users"

  11. Users Deleted *Only detects the user home dir being deleted
    Sensor Type: GPFSEvent
    $event.type == 1 AND $event.path.stringByDeletingLastPathComponent == "/System/Volumes/Data/Users"

  12. Jamf Pro Agent Removed (10.15 & above)
    Sensor Type: GPFSEvent
    $event.type == 1 AND $event.file.path == "/System/Volumes/Data/usr/local/jamf/bin/jamfAgent"

  13. Applications Added
    Sensor Type: GPFSEvent
    $event.isNewDirectory == True AND $event.path.stringByDeletingLastPathComponent == "/Applications"

  14. Files Downloaded from the Internet
    Sensor Type: GPDownloadEvent
    true == true

  15. Unsigned Keylogger In Action
    Sensor Type: GPKeylogRegisterEvent
    ( $event.source.signingInfo.signerType == 4 )

  16. Launchctl Unloaded
    Sensor Type: GPProcessEvent
    ( $event.type == 1 AND $event.process.path CONTAINS "/bin/launchctl" AND $event.process.args CONTAINS "unload" )

aloewenthal
New Contributor

Hey @Kelli.Conlin thanks for sharing your custom analytics! I've definitely taken note, any chance you have any analytics created for logging Firewall events?

T_Armstrong
Contributor

@Kelli.Conlin - Thank you! Great starting point. If anyone has tips for how to detect a specific process being killed, I'm all ears!